Mirai runs hidden behind a new network prefix at dataflow.su
Read how we discovered where one of the Mirai C2 is hidden and how new network prefixes and fake ASNs are used by bulletproof hosters. Check how routing announcements are pushed from hidden locations, RIPE objects are created with fake documents and how a “grocery store” got the IP space!

Nick The Lim – The upraise
Read about Nick Lim upraise against @MalwareTech and how @BannedOffline makes fun of the very same person that hosted Ghost Hackers Squad website

Who is Raibow?
Learn who is behind many attacks in VDOS and Booter.xyz. Meet one more Pony. Meet Rainbow.

The 665 Gbps attack on “Krebs On Security”
During the month of September 2016, we have been monitoring the activities of the Ghost Squad Hacker (GSH), a hacker group that until then actively participated in different Anonymous operations as #OpIcarus targeting banks or #OpIsrael.

Kepler, the Russian web flooder
If you wonder how malicious actors find newly assigned address space to operate bullet proof hosting providers, keep reading!We have been monitoring VDOS and other similar services for a few years now and trying to understand better this “pay-as-you-go attack industry”.

New Mirai instances are being deployed! (Part 1)
This page collects updates about our findings about the Mirai botnet. The information contained in this page has been obtained after analyzing several samples of the malware. Despite the media attention that Mirai has received so far, very little information is available about the other infrastructure needed to operate the botnet.

Mirai Samples (Part 2)
This article includes a collection of Mirai samples that we have collected for different platforms.

Santas Big Candy Cane. Mirai C&C
The Friday 30th September, Anna-senpai posted the source code of the Mirai botnet. After reviewing the code and comparing with our own findings, we can confirm that the code release is authentic. The botnet communicates with two “services”, one of the services is the command and control and the other is a “reporter”…

Fantomnet and Ghost Anti-DDoS
@BannedOffline started to collaborate closely with Fantomnet to build a anti-DDOS hosting service for GSH and their supporters: ghostantiddos.com. Fantonment claims two have two members Crazy and Mike Fantom. ghostantiddos.com’s low-cost DDOS protection strategy was to host the protected site behind third party providers offering DDOS protection and focus on layer 7 (application) protection as this the most common traffic that leaks through such providers.

Are Stress Testing Services Legitimate?
The business logic behind stress testing services is that site owners should have the right to test and benchmark the security and performance of their websites. Stress testing owners offer a service that “in theory” is supposed to be used for legitimate purposes. Here is a collection of reasons why we believe that stress

The “Sindicate” and DNS amplification
Thanks to the leak of data from VDOS stress tester we could get access to the history of commands run in the server. A selection of those commands shows how the owners of VDOS where feeding their attack amplification tools with lists of open resolvers.
The lists were obtained by actively scanning the whole Internet from a server of an organization known as the “Sindicate Group”.

About

A large part of the denial of service attacks are powered by providers and transit carriers that allow traffic to be spoofed from their networks. There are enough technical means and community understanding to identify where the attacks are sourced but nothing seems to change.

In Spoof IT, we believe that it has come to a time where creative actions are needed and attackers and their shameless supporters need to be exposed.

Contributors

Thanks to all who have reached out with new details about bad actors online!.
We are specially interested to hear more about hosting providers and fake resellers that allow spoofing. Also from known upstream providers making a cut in the business.
If you have evidences, please forward them or join us!